Juniper Expands UAC, Works on Enterprise Pitch

Juniper Networks is updating its unified access control (UAC) technology in a new release that expands the capabilities and definition of what network access control is all about.

Network access control (NAC) ensures network access is only granted to validated and properly secured endpoints. NAC as a security approach can do a lot more than just access, though it can be a control point for overall network security.

"Most enterprises don't have a NAC budget, but there is a subset that they do have a budget for," Karthik Krishna, director of product management for Juniper, told InternetNews.com. "Overall, enterprises are concerned about network protection, and NAC is part of that."

Network protection is what Juniper is aiming to provide with its UAC 2.1 release, which expands on Juniper's UAC 2.0, released a year ago. UAC is essentially Juniper's take on NAC.

With UAC 2.1, Krishna explained that Juniper is moving to more dynamically protect networks with network intelligence. That intelligence comes from a number of sources, including integration with Juniper's Intrusion Detection and Prevention (IDP) platforms to provide coordinated threat control.

The idea being that with UAC 2.1 and IDP a network administrator can identify the threat and the user or device that threat is coming from or against and take action against the specific users or device.

"Coordinated threat control takes application control that is deep in the network and brings it closer to the edge," Krishna said. "It leverages network information for access control."

Krishna added that in the past, network administrators have had very limited visibility into who the user actually was. With a coordinated approach, UAC helps networks respond to threats better by providing richer visibility into users and the ability to correlate users to applications with a higher level of detail.

Beyond being just an approach to securing users in a network, UAC 2.1 can also be used for application layer control.

"Many enterprises are focused on protecting applications and not users," Krishna said. "UAC in an overlay mode makes sure that only authorized users can access applications."

Using UAC for application access is not intended to compete against Microsoft Active Directory or other LDAP access technologies. Krishna sees UAC as being very complementary in that it provides an additional level of visibility and granular user control. With UAC an application can grant user access not just on username and password but also with an eye to ensuring that user is who they say they are and that they don't currently represent a risk.

Juniper is also expanding the footprint of what endpoints UAC can actually manage and recognize. Devices such as printers and VoIP phones that previously had been difficult to manage are easier to identify and control with UAC policy.

The move by Juniper to more easily identify and control unmanageable devices in NAC follows rival Cisco's similar NAC Profiler product in September.

At that time Cisco also released a NAC module that plugs into its popular ISR (integrated services router). Cisco considers the pluggable NAC module as something that will help end users more easily deploy NAC.

Juniper, which has a similar pluggable router with its SSG product family, does not have a pluggable UAC module. "We're not seeing the demand for integration like that," Krishna explained.

Juniper supports enforcement of UAC on its SSG, but it still requires a standalone appliance, Juniper's Infranet Controller in order to have a fully UAC solution.

While NAC-type solutions have been hyped by networking vendors big and small, the biggest challenge for adoption, according to Krishna, revolves around users not understanding what NAC offers.

"There are legitimate business drivers for NAC adoption, " Krishna said. "The challenge for us is helping to tease business problems out of customers and help them to understand where it can meet those needs."